some more waf hate: default deny

From Jeremiah Grossman:

To implement default-deny Web Application Firewalls (WAF) must know everything about a website at all times, even when they change. That’s programmatically documenting every expected request method, URL, parameter name/value pair, cookie, process flow, etc making default-permit deployments the rule rather than the exception.

That’s probably why my Citrix Netscaler comes with an application firewall, but has no real default rules. They have to be created for the application it is protecting.

the debate whether browser crash bugs are security issues

Tyler Reguly over at nCircle posted about IE choosing to label browser crash issues as stability issues and not security issues. This has come up before on Farnum’s blog.

I have a somewhat subtle approach to defending the “not always a security issue” position, but it doesn’t always come to me quickly. So this post is just here for future inspirational reference for myself on where to jog my thought juices.

In a nutshell, I play devil’s advocate towards saying browser crashes are not always security issues. This is a security issue when your site has malicious code embedded in it that prevents users from using your site (a security issue from the POV of the site owner). Or when the users have a legitimate purpose to be on the site which has malicious code embedded in it (a security issue from the POV of the user).

Anything else really is a stability issue. Besides, do your users really need to get to that malicious site that crashed their browser?

Caveat? Yes. When a piece of crash code can be reproduced and embedded quickly in sites all over the place. At which point this maybe affects enough people to be an actual security concern?

quiet tuesday venting

It’s been a bad day, so I’m dropping a few loads on the blog for grins.

You know, I never authorized junk mailers to send my personal information through the Postal Service. I should sue both them and the Postal Service for employing handlers through whom my personal information passes every single day! Seriously, a sealed envelope is so easy to break into. Shouldn’t correspondence with me be encrypted? This is outrageous! *fist pound on desk* How dare you display my name and address for the whole world to see! This is private information! (Yeah, I’m also annoyed when I read articles that get panties bunched about disclosed information that isn’t private or sensitive at all!)

Cloud computing. Hrm, my cloud computing is me being stuck on a problem, asking for some help from people I know (or don’t personally know) on the net, and getting back an answer. That’s my cloud computing. Marketing can get over it.

I really have come to hate two marketing/sales phrases that are grossly overused. “Our product is like product Z on steroids.” So, don’t steroids have a wide range of detrimental effects and are banned in most sports? How evil. “Our product is like a swiss army knife in the ABC space.” Yeah, too bad that’s what everyone else is claiming too. Don’t tell me these things. At all. Just get into showing me the goods.

And I just have to add that Jack Thompson continues to fall further and further into the dark spiral that is Losing Touch with Reality. Gamers know what I’m talking about…

thoughts on the challenges of it consultants

We have a couple consultants (I use consulants and contractors synonymously in this post) in this week to do some work for us on implementing a piece of technology that we have not had the time nor expertise (the expertise recently left us) to get it done ourselves.

Two issues I have with using consultants to get work done.

1) Consultants should be used when a team is lacking expertise, but I am dubious whether they are useful when a team is lacking in time. Consultants cannot just come in and know how to build systems the way you build them, or fit right into your environment or network or business processes. To me, it seems consultants are best when directing an existing staff member through something new; not when they are doing the work and the staff are too busy to help or absorb knowledge. This indicates a need for more staff, not consultants to triage and bandage. (To note, we are hiring, but getting absolutely nothing for resumes.)

2) Consultants are notorious for ignoring security. “Aw, just make it a domain/local admin and it’ll work fine,” is a common response. When left in a vacuum to make their own decisions, they too often ignore security ramifications. I’m not entirely surprised. Staffers under the gun for a deadline will likely also get things done and think about security later, but consultants seem to be under more pressure to get things done quickly and stop billing the customer!

BackTrack 3 Final release…well, release plans anyway

I see Muts has announced that BackTrack 3 Final is ready to be released, but is not quite released yet. I’ve had BT3 beta installed for a while now, and will be happy to wipe it away for the final version. I am pretty sure the download link will appear where the beta is now.

If you happened to get the IRC pre-release copy, good for you! I haven’t logged into IRC in a while so missed out on that event last week. I’ve been putting off getting irssi+screen up on an old system to just stay on all the time, rather than bounce on and off with my laptops.

getting ringtones on verizon env2

Update 11/23/2009: I now have an env3 phone and I can say that the worst steps below are no longer an issue. If you put a file on a microSD card and plug that into the phone, the interface menu will immediately let you set it as a sound or ringtone. Verizon is moving in the correct direction in terms of no longer making stupid restrictions.

I recently upgraded my phone through my cell provider, Verizon. I picked up a nice LG enV2 (VX9100). As expected with Verizon, based on my previous RAZR experiences, getting one’s own ringtones on the phone takes some effort. But so far it is at least possible.

I was able to get my own files set as ringtones on my phone by using a microSD card to get the files from my computer to the phone. Then I texted them to myself so I could save it into ringtones. I’m sure this can be done via Bluetooth or a direct USB link, but this is the method I chose.

1. Pick up a microSD card and USB card reader. I chose a $14 set from Newegg.

2. Insert the microSD card into the phone’s microSD slot (really!). Note: Be careful where and how you do this. The card insertion pretty much requires the use of fingernails, and the spring mechanism to eject the card is quite happy to shoot it out if you slip while pushing it in.

3. On the phone choose Menu, 9. Settings & Tools, 9. Memory, 3. Card Memory, Options, Format. This will format the card, and it will also place some folders on it for My Sounds, My Videos, etc. I’m sure these are not special and can be created by hand, but I’ve not done extensive testing.

4. Remove the microSD card from the phone (carefully!), put it into the USB card reader, and insert it into the computer’s USB slot. This should come up like any other USB drive and be immediately accessible and writable.

5. Copy the desired files to the card. I used the My Sounds folder. The file format can be .wav or .mp3, and whatever else the phone will play, I’m sure. I used .wav.

6. Reinsert the microSD card into the phone.

7. On the phone choose Menu, 9. Settings & Tools, 9. Memory, 3. Card Memory, 5. My Sounds and verify the phone sees the files. This actually didn’t work right away for me the first time, but after a few minutes they showed up just fine. Since then it has been instant.

8. From the start screen now (hit END), choose Menu, 5. Media Center, 1. Music & Tones, 5. My Sounds, highlight your file (they should show up and you can see they have a different icon when accessed from the card), choose Options, 1. Send. Now you’re about to send it as a text. Choose Add or put in your phone number, put in some text, and send away!

9. Hopefully in a few moments the text will arrive. Once received and opened, choose Options, 4. Save As Ringtone.

The rest is basic from there!

do not slap shaving cream on your firewall box

Rothman makes the following comment about IPS:

Personally, I think it’s a pipe dream. The market has voted most IPS blocking off the island, opting instead to block maybe 2-3% of the applicable rules and monitor the rest. What makes us think, that even over a reasonable planning horizon (5-7 years), that detection will become granular and accurate enough to actually do this kind of automated blocking?

When your buddy is slumbering soundly on the couch, he unconsciously moves or swats the fly lightly landing on his cheek. Watching this a couple times leads to the brilliant idea to fill that hand with shaving cream and tickle his cheek so the automatic reaction results in a face full of cream. That’s my analogy on the issue with most IPS rules. I’m not anti-IPS or automatic blocking, but I am anti-dumb-unconscious-blocking which, as Rothman says, only works for a stupidly small set of triggers, yet.

working from home this week

Where have I been all week? What day is it? Oh, the signs of working from home all week. Really, I’ve been attending to misc issues in the mornings and late afternoons with 6 hours of remote Citrix training in the middle. At least I get to do this from the comforts of my own home and in my pajamas.

office hunting lessons for a small tech shop

I’ve read Joel Spolsky for years, and he never ceases to amaze me that there are really people out in the world who get it. The dot com boom may have come and gone, but there are plenty of us IT guys who would love to do something great in a worthwhile environment, but are mired in the “cheap” majority of business, just like the architects near the end of Joel’s latest article on finding new office space. And read that section carefully, it’s an excellent circular reference back to getting results from professionals by helping them out of the mundane.

There will be a reception area with a dry creek of stones and pebbles and plants that will make a great first impression on our guests. There will be a big lunchroom, because we all eat together, as well as a coffee bar, a lounge, a 180-gallon saltwater aquarium, the aforementioned shower, a library with reclining chairs for naps, two private meeting rooms, 20 private offices for programmers, 23 adjustable-height workstations for everyone else, Wi-Fi, a big screen for movies and video games, and enough glass to build the world’s largest ant farm. We will have some room to grow, finally. And in two years, if all goes well, it will be too small for us.

I’d almost become a programmer just for that!

Yeah, I know, that sounds like a plush job where people can slack off and do no work. But that’s really not true, especially for the talent Fog Creek wants to attract. Besides, you put money into employees, you don’t try to wring them dry and put as little as humanly (or inhumanly) possible. Put money in, provide a creative atmosphere, get value out. I’m sure the costs of the employee amenities is a drop in the bucket compared to the value they’ve generated in return.

security kept us from being hacked yesterday!

Security news is inherently negative. Other than industry news which is more press release-like than real news, our security news is negative and depressing. I never hear stories like…”Yesterday, the security team hardened a weak Windows server found on the network!” Or, “Good job last week security team, no successful intrusions!”

Yeah, that’s part of the utility nature of security, where no one gives a rip until it breaks. But we do need some positive news now and then, if nothing else at least for our budget-makers.

Of course, both the constant negative news and the need to point out when things are fine only serve to make us sound like we’re FUDding around… “What do you mean we were secure last week with no intrusions, are you threatening me?!”